Exam SC-200 topic 3 question 69 discussion

Investigate Comment

The correct answers are: - Investigate - Comments

First box Investigation - clear choice Second box - two viable options Alerts or Comments. It's Comments per the below verbatim in this Microsoft article: https://learn.microsoft.com/en-us/azure/sentinel/investigate-incidents#audit-and-comment-on-incidents Audit and comment on incidents When investigating an incident, you'll want to thoroughly document the steps you take, both to ensure accurate reporting to management and to enable seamless cooperation and collaboration amongst coworkers. You'll also want to clearly see records of any actions taken on the incident by others, including by automated processes. Microsoft Sentinel gives you the Activity log, a rich audit and commenting environment, to help you accomplish this.

Correct option

You dont need to click investigate to see the entities. You can just highlight a sentinel incident and click entities. You can also get thesde by clicking invetigate then entities. Question out of date now maybe? 2nd comments for me. Poeple keep saying alerts but where within alerts does it show the steps one has taken to investigate the issue? Which is the ask. At the bottom of the setninel incident page there is comments section where you can add a comment. Anyone else working that incident can see the comment.

Investigate and comments

Investigate and comments

Investigate Comments

Investigation + Bookmark, Alerts are notifications that are generated when suspicious or malicious activity is detected. They can be used to notify you of potential threats, and they can also be used to start investigations. However, alerts do not provide a list of the activities that have been performed during an investigation. Comments are used to add notes to investigations. They can be used to track the progress of an investigation, or to provide additional information about the investigation. However, comments do not provide a list of the activities that have been performed during an investigation.

In order to check the activities during the investigation, normally you go to "Activity Log" and there you can check the activities and the comments. Since there is no "Activy Log" option, i would go for "Comments" Also from the below link we can see "Comment on incidents https://learn.microsoft.com/en-us/azure/sentinel/investigate-incidents#audit-and-comment-on-incidents As a security operations analyst, when investigating an incident you will want to thoroughly document the steps you take, both to ensure accurate reporting to management and to enable seamless cooperation and collaboration amongst coworkers. Microsoft Sentinel gives you a rich commenting environment to help you accomplish this." "Alerts" tab for sure doesnt show you the activities that took place during the investigation

tested on Sentinel. its definitely, Investigate and Alerts.

https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases#comment-on-incidents the second one will be Comments

I don't think its alerts , I'm going with comments

Investigate Alerts https://learn.microsoft.com/en-us/azure/sentinel/investigate-cases

Investigate <> Alerts Comments is only what has been added by a user nothing more.